This specific vulnerability is addressable by server-side changes to enforce SSL when exchanging the tokens. I'm glad to hear that Google is moving forward on fixing this side of things. People are also saying it's only exploitable via WiFi, but I wouldn't be surprised to hear some type of 3G snooping as well.

BUT, this brings up major concerns that the Operating System versions for Android are so fractured, and ultimately are controlled by the wireless providers. Even though the latest version of Android don't exhibit this behavior, the mobile phone companies continue to drag their feet pushing the updates. This is akin to vendors which only support IE6...they drag their feet because they can. I think larger customers need to push back that we need prompt patching (or the ability to self-update!)